> I think that would still be trivially exploitable by anyone who knew > about it. It seems like that kind of work would just lead to a false > sense of security.
I've been thinking about this, and I don't see how it's exploitable, so either I didn't express myself well, or I am missing something. My thought is that, in the controller function, I need to get a user's authentication cookie in order to track the user's activity. If the user is DOS'ing me by trickling bytes to me, then I will time out while trying to read in the cookie, and I will sever the connection. If the user gives me a valid authentication cookie and then starts trickling more data in, then I can at least log the activities of that user, and take action against a person whose identity is known to me. Is there a hole in that? > It might need to be done with a compile-time flag instead of a runtime > check for zero. That would actually be really great. I basically never want the framework's core to do any timeouts. I've put this in as a feature request (https://github.com/snapframework/snap-core/issues/#issue/50) so it doesn't get lost. _______________________________________________ Snap mailing list [email protected] http://mailman-mail5.webfaction.com/listinfo/snap
